erase fd_cloexec flag.
In recent Glibc and kernels, the default action is to set FD_CLOEXEC
when duplicating a descriptor. The CGI routine uses an execve() call
and the parent starts listening to stdout of the child. Therefore
the closing of STDOUT_FILENO must be prevented nowadays.

resolve inconsistent signedness use by quote( , ).
The source code is written with indiscriminate use of string types
'char *' and 'unsigned char *' when it comes to translate back and
forth between url-encoded and unix-path encoded strings.
.
In 'quote( , )' the string 'buf[2048]' is indeed only used to store
true ASCII-characters, it is thus now declared using 'char *'.
In this function the first argument can contain extended ASCII
characters, so strlen() for the same argument can use a cast,
since it only searches for the terminating null character.
.
Three calls to 'quote( , )' are legitimate, but need to use a cast
to unsigned character strings in order to fit the prototype.

predictably set socket option ipv6_v6only.
The default mode of operation for Webfs was intended to
listen on both IPv4 and IPv6. To be certain this always
can be done, the patch assigns the socket option a value
IPV6_V6ONLY=0, thus overriding any system default that
might be in effect.
.
Conversely, had '-6' been specified, then make sure that
IPV6_V6ONLY=1 is used.

implement a few critical preventive error checks.
The error trapping is insufficient in the original source.
.
The patch prepares for implementing such trapping, and also
improves two conditionals which only with later changes will
actually matter, but for now are non-intrusive.

implement support for gnutls.
This patch set implements the option to let GnuTLS replace OpenSSL,
which was the only uption in the original source code.
.
The alterations leave OpenSSL code intact, and also lets GnuTLS
be used in a threaded setting.
.
No client verifications are implemented, neither can the crypto
key be protected by a pass phrase at this time.
.
Explicit linking to "gcrypt". This is needed by "binutils-gold".
Reported as LP: #665276. Contributed by Roy Jamison.

further useful functionality from libgnutls.
Continuing on the first implementation for using libgnutls,
this patch set includes further checks and refined properties.
.
Allow server certificate and key to be contained in separate files.
.
Allow the server to use a CA-chain file.
.
Arrange the cipher priorities to be configurable at start up.
.
Implement some useful verifications of the client certificate and
its certificate chain. This is crafted as an on/off-option.

two cases of potential access escalation.
For reading access to a file, the checking of group access
was incorrectly implemented, using a mixture of user and
group identities.
.
The supplementary group list was only reset in case an explicit
group change had been requested, thus opening for potential
access escalation. The code is changed to always reset the
supplementary group list. This new default behaviour seems
to best go with the philosophy of the original software.
.
Testing could not unveil any noticeable side effect of this
latter additional change.